It’s the holiday shopping season and retailers around the world are preparing for the crush of orders that comes during the weeks leading up to the holidays. It’s also the time of year retailers should prepare to be extra vigilant protecting their data – including data of their employees, customers, and partners – from online hackers and scammers.
A new Cyber Readiness Institute survey finds that three-quarters of U.S. consumers are less likely to make online purchases from small businesses that suffer cyber attacks. Online shoppers also believe large retailers are more likely to protect their security and privacy, but small retailers should offer the same protections.
Retailers face unique challenges regarding their technology and people, but the key to cyber readiness revolves around educating your workforce. These challenges are real and complex, but some very effective–and easy–solutions are not. Here are some basic tips to help keep the holiday season a merry one for retailers:
Cybersecurity Challenges For Retailers
When thinking about the numerous challenges that retailers face, it is important to prioritize cybersecurity risks. Retailers trade with a large number of suppliers, assume responsibility for the actions of employees and collect confidential information from consumers. As the point of intersection between suppliers, employees, and consumers, retailers are associated with many stakeholders and must consider vulnerabilities and consequences in all directions.
From the supply side, the retailer is a gateway to every member of their supply chain. No matter the size, each link of the chain is a potential point of entry for hackers. Small, local retailers can be targets for malicious actors to gain access to large suppliers. Likewise, small suppliers can be used to access a larger company’s system.
Retailers must look within their organizations to identify internal threats. To prepare for holiday shoppers, it is especially common for retailers to hire part-time/seasonal employees. Though they alleviate stress due to the holiday rush, these types of employees can pose a sizeable risk, depending on the extent of their training and the access they possess within the organization. Employers must remain diligent in training all employees because everyone is a member of the cyber workforce, and anyone can be responsible – knowingly or unknowingly – for a cyber attack.
From the consumer perspective, online transactions yield a significant amount of personal and often payment information. It is important that retailers manage the storage of and access to this data securely. Retailers that offer delivery service can be easily preyed upon due to the prevalent transferring and sharing of confidential information. These types of transactions serve as additional gateways hackers can use to attempt to gain entry. Protecting customer data should be a top priority for a retailer of any size as hackers tend to focus their attacks on this type of information.
Retailers typically have a large number of suppliers, both direct and indirect. With a supply chain of any size, there are weak links and points of entry for malicious actors. As hackers develop more advanced techniques, Account Takeover (ATO) presents itself as an emerging threat to the e-commerce industry.
New techniques like credential stuffing allow hackers or bots to take advantage of stolen data en masse to force their way into customer accounts with code that draws from usernames and passwords that are likely reused on multiple sites. Once a point of entry has been compromised, hackers essentially take over the user’s online identity and can commit fraud or theft in the user’s name.
This type of threat is unique in that the onus falls equally on the consumer and the retailer. Consumers can safeguard their identity through strong password protocol: 64-character passphrases, two-factor authentication, and avoiding password reuse across multiple accounts. A breach leaves consumers feeling violated and vulnerable, thus marring the user experience and the company’s reputation. It is the retailer’s responsibility to take ownership of such security breaches, educate consumers, enforce best practices for user account settings, enable account activity alerts to catch attacks earlier and share experiences/knowledge with others in the industry.
Secure Passwords Tip: The best password is a passphrase with 64 characters. Passphrases can be easier for people to remember and they only need to be changed if/when it is breached. Also, people can save the passphrase in their keychain, so they don't need to type it in every time.
For more on ATO: https://rhisac.org/blog/how-to-mitigate-account-takeover-in-retail/; https://rhisac.org/wp-content/uploads/2018-Holiday-Guidance_ATO-Quick-Wins.pdf
With e-commerce and online shopping ever on the rise, retailers collect a huge amount of Personally Identifiable Information (PII) and credit card details from every transaction. This abundance of data attracts malicious actors to partake in skimming, a serious threat to retailers with harmful consequences.
Skimming attacks can be covertly injected into vulnerable retail systems and often bypass basic security measures, thus making them virtually undetectable by buyers and sellers alike. Once inside an e-commerce portal, the attacker may gain access to and skim off personal and payment information from online transactions during checkout.
While detecting a potential attack before it wreaks havoc is important, preventing the attack from latching onto your online system in the first place is even better. To shield your business, your defense strategy needs to be multifaceted and should utilize auto-updates to ensure the latest security patches are installed in your system.
Software Updates Tip: Automation (turning on auto-update) is a great way to stay aware of new patches and schedule their installation at a convenient time. Rebooting your computer is also another way to ensure patches get installed.
For more details on best practices, please refer to the following: https://rhisac.org/blog/the-threat-of-online-skimming-to-payment-security/; https://rhisac.org/blog/detecting-and-responding-to-pos-skimmers-and-shimmers/
Stop the Phishers
Many retailers have a large proportion of employees that may be using personal devices to access company information, particularly if the company employs part-time workers. It is important to promote safe, Bring-Your-Own-Device (BYOD) protocol.
The BYOD trend is cost-effective, not only in terms of procurement of the device at the outset but also because employees are more inclined to maintain and update personal devices than they are with corporate devices. Encouraging employees to use personal devices at work also reduces the learning curve and time typically associated with training/orientation for company-provided devices, and as a result, can increase worker productivity.
In today’s post-perimeter world, organizations have less control over the devices their employees use, the content that is accessed on those devices, and the networks on which that content is accessed. To reap the benefits associated with the BYOD movement, it is even more crucial for employees to be educated about phishing threats. With one device bridging the gap between work and personal usages, a phisher can do double the damage if granted entry.
Stop the Phishers Tip: Organizations should educate their employees on what to look for in an email to determine if it is a phishing attempt. If an employee has any concerns, he or she should contact the company’s IT expert. Companies should run basic phishing training regularly.
For more information on BYOD: https://risnews.com/why-retailers-should-embrace-byod-revolution#close-olyticsmodal
Keep the USBs Away
Many retailers attend tradeshows or conferences to connect with other professionals in the industry. Companies often provide free products to promote their business, such as stickers, water bottles, or USBs. Though most of these items are harmless, USBs carry huge risks. They may be infected with malware that, when inserted into a computer, have the potential to cause serious damage. An infected USB can destroy your device, as well as put your customers’ private data in jeopardy.
Like most cyber attacks, a USB attack is opportunistic. Hackers will infect USB drives with malicious software, such as viruses, spyware, rootware and more. All of these can do irrevocable damage to your network as soon as they are installed.
USB attacks rely on human behavior for success. In most cases, the providers of USBs do not know if the USB is infected. Many people will plug an unknown USB into their computer.
Keep the USBs Away Tip: Adopt an online or cloud-based file-sharing system that is access protected so you don’t need to use a USB.
You can find more details about launching cybersecurity programs for small businesses and sign up at https://www.cyberreadinessinstitute.org/sign-up. Questions? Email email@example.com.